CVE-2021-20736 – This NoSQL injection vulnerability in GROWI wik... (How to Fix)

Q: What is the severity of CVE-2021-20736?

CVE-2021-20736 has a CVSS score of 9.1 (CRITICAL). This NoSQL injection vulnerability in GROWI wiki software allows attackers to manipulate database queries and access/modify stored data. It affects GROWI versions before v4.2.20, potentially compromising sensitive information in wiki databases.

📋 TL;DR

This NoSQL injection vulnerability in GROWI wiki software allows attackers to manipulate database queries and access/modify stored data. It affects GROWI versions before v4.2.20, potentially compromising sensitive information in wiki databases.

💻 Affected Systems

Products:

GROWI

Versions: All versions prior to v4.2.20

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all GROWI deployments using MongoDB/NoSQL database backend.

📦 What is this software?

Growi by Weseek

View all CVEs affecting Growi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion of all wiki content including user credentials and sensitive documents.

🟠

Likely Case

Unauthorized access to wiki pages, user information, and potential privilege escalation within the GROWI application.

🟢

If Mitigated

Limited impact if proper input validation and database access controls are implemented separately.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires understanding of NoSQL injection techniques and GROWI's API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.2.20 and later

Vendor Advisory: https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/

Restart Required: Yes

Instructions:

1. Backup your GROWI data and configuration. 2. Update GROWI to version 4.2.20 or later using your deployment method (Docker, manual install, etc.). 3. Restart the GROWI service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation on all user-controlled parameters passed to database queries.

Database Access Restriction

all

Configure MongoDB to use least privilege principle and restrict application database user permissions.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block NoSQL injection patterns.
Isolate GROWI instance from other systems and implement strict network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check GROWI version in admin panel or via API endpoint /api/v3/version

Check Version:

curl -s http://growi-host/api/v3/version | grep version

Verify Fix Applied:

Confirm version is 4.2.20 or higher and test NoSQL injection vectors are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
Failed authentication attempts with malformed parameters
Unexpected database error messages

Network Indicators:

HTTP requests with unusual query parameters containing MongoDB operators ($where, $ne, $regex)
Abnormal API call patterns to GROWI endpoints

SIEM Query:

source="growi" AND ("$where" OR "$ne" OR "$regex") AND status=200

📊 Metadata

CVE ID: CVE-2021-20736

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-74

Published: June 22, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN95457785/index.html Third Party Advisory
https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/ Vendor Advisory
https://jvn.jp/en/jp/JVN95457785/index.html Third Party Advisory
https://weseek.co.jp/security/2021/06/14/vulnerability/growi-nosql-ingection/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20736, you might also want to check these: